California Consumer Privacy Act (CCPA) Compliance

Americas Map

Regulation

Active now

Are you ready for CCPA Compliance?

On June 28, 2018 governor of California Jerry Brown signed into law Assembly Bill No. 375, the California Consumer Privacy Act (CCPA)1. The CCPA Act, grants to the state’s over 40 million people a range of rights comparable to the rights given to European citizens with the General Data Protection Regulation (GDPR) (the two legislations are not that similar, but they do share some general features, GDPR is an omnibus law, while CCPA is more limited).

Since CCPA became a law, it has had two major updates. The first update occurred on the August 24, 2018, with Senate Bill 11212, which introduced 45, largely non-substantive in nature, amendments (mostly addressed technical errors), and the second occurred on February 25, when California’s Attorney General introduced Senate Bill 5613 to further clarify and strengthen the act.

The bulk of the bill has to do specifically with consumer privacy protection. For a more comprehensive review, read How to Prepare for the California Consumer Privacy Act.

Part of the CCPA addresses data security specifically, and Thales provides many of the solutions you will need to comply with this part of the Act.

1https://www.caprivacy.org/about

2https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121

3Ibid

The following text is excerpted directly from the CCPA:

1798.150. (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action….4

4Ibid

CCPA Compliance Summary

Beyond encryption and redaction, the CCPA does not at this point specifically prescribe what organizations subject to the CCPA must do to protect consumer data from theft. However, this is true of most regulations like CCPA. Instead, they rely on “best practices” to keep pace with the ever-changing digital security environment. Thales is a leader in digital security, and, having helped hundreds of enterprises comply with regulatory regimes around the world, we recommend key data protection technologies called for in virtually every set of regulations.

These include:

  • Data access control
  • Encryption and tokenization (pseudonymization) of data at rest
  • Encryption of data in motion
  • Encryption key management
  • Keeping and monitoring user access logs
  • The use of hardware security modules for executing encryption processes and protecting encryption keys
Data Access Control

Thales Vormetric Data Security Manager enables the organization to limit user access privileges to information systems that contain sensitive Information.

SafeNet Trusted Access is a cloud-based access management service that combines the convenience of cloud and web single sign-on (SSO) with granular access security. By validating identities, enforcing access policies and applying Smart Single Sign-On, organizations can ensure secure, convenient access to numerous cloud applications from one easy-to-navigate console.

Adding Thales's SafeNet certificate-based authentication (CBA) smart card solution as an integral part of IT infrastructure, significantly improves client logon security by requiring multi-factor authentication. Adding multiple factors ensures secure login to workstations and enterprise networks, eliminates complex and costly passwords and significantly reduces help desk calls. And, the smart card enables easy and reliable visual identification of the card holder and strong communication around corporate identity. Furthermore, the certificate-based solution is fully integrated in a Windows environment when using applications from Microsoft.

With SafeNet Authentication and Access Management solutions, you can leverage a unified authentication infrastructure for both on-premise and cloud-based services—providing a centralized, comprehensive way to manage all access policies. Users can log into enterprise cloud services such as Office 365, Salesforce.com or GoogleApps through your existing SafeNet authentication mechanisms.

Encryption and Tokenization

Thales Vormetric Transparent Encryption solution protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the Vormetric Data Security Manager.

Vormetric Vaultless Tokenization with Dynamic Data Masking dramatically reduces the cost and effort required to comply with security policies and regulatory mandates, such as CCPA. The solution delivers capabilities for database tokenization and dynamic display security. Enterprises can efficiently address their objectives for securing and pseudonymizing sensitive assets—whether they reside in data center, big data, container or cloud environments.

Vormetric Application Encryption delivers key management, signing, and encryption services enabling comprehensive protection of files, database fields, big data selections, or data in platform-as-a-service (PaaS) environments. The solution is FIPS 140-2 Level-1 certified, based on the PKCS#11 standard and fully documented with a range of practical, use-case based extensions to the standard. Vormetric Application Encryption eliminates the time, complexity, and risk of developing and implementing an in-house encryption and key management solution, with development options including a comprehensive, traditional software development kit for a wide range of languages and operating systems as well as a collection of RESTful APIs for the broadest platform support.

Encryption of Data in Motion

A powerful safeguard for data in motion, SafeNet High-Speed Encryptors deliver high-assurance certified data in motion encryption capabilities that meet secure network performance demands for real-time low latency and near zero overhead to provide security without compromise for data on the move across the network.

Encryption Key Management

Thales Vormetric Enterprise Key Management unifies and centralizes encryption key management on premises and provides secure key management for data storage solutions. Cloud Key Management products include the CipherTrust Cloud Key Manager for centralized multi-cloud key life cycle visibility and management with FIPS-140-2 secure key storage, and Cloud Bring Your Own Key.

User Access Logs

The Vormetric Platform’s Security Intelligence Logs let your organization identify unauthorized access attempts and build baselines of authorized user access patterns. Vormetric Security Intelligence integrates with leading security information and event management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts. It also provides all the data needed to specify behavioral patterns required to identify suspicious use by authorized users, as well as for training.

Hardware Security Modules

SafeNet Hardware Security Modules provide the highest level of encryption security by always storing cryptographic keys in hardware. SafeNet HSMs provide a secure crypto foundation, because the keys never leave the intrusion-resistant, tamper-evident, FIPS-validated appliance. Strong access controls prevent unauthorized users from accessing sensitive cryptographic material, since all cryptographic operations occur within the HSM. In addition, Thales implements operations that make the deployment of secure HSMs as easy as possible, and our HSMs are integrated with SafeNet Crypto Command Center for quick and easy crypto resource partitioning, reporting and monitoring.

The award winning SafeNet Data Protection On Demand solution is a cloud-based platform providing a wide range of cloud HSM and key management services through a simple online marketplace. These include HSM on Demand and Key Management on Demand.

White Paper: How to Prepare for the California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is set to take effect on January 1, 2020. On that date, California's 40 million residents will be able to use CCPA to learn what data businesses are collecting about them and to suitably protect themselves. The Act will also require businesses to make changes in support of these new rights. For the sake of compliance, it's therefore essential that businesses learn more about CCPA and whether it applies to them.

Download

White Paper: Addressing Key Provisions of the General Data Protection Regulation (GDPR)

Through the General Data Protection Regulation (GDPR), the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). The Commission’s primary objectives for the GDPR are to return to citizens control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. This paper discusses how to comply with GDPR.

Download

Other key data protection and security regulations

NIST 800-53 / FedRAMP

Americas Map Thumbnail

Mandate

Active now

Since June 5, 2014 federal agencies have been required to meet FedRAMP standards, ensuring they meet internal data security standards and extended security controls for cloud-computing.

Learn More

HIPAA

Americas Map Thumbnail

Regulation

Active now

These regulations cover healthcare information in the US, HIPAA relates to protection; encryption, key management. etc and HITECH relates to disclosure of data breaches.

Learn More

SOX

Americas Map Thumbnail

Regulation

Active now

United States Federal Law setting standards for a range of US companies, SOX Act sections 302 and 404 relate directly to data protection.

Learn More
Contact a Compliance Specialist Contact Us
Are you fit for GDPR Take our readiness assessment now
Read the Compliance and Regulations Solutions Handbook Read the eBook

Related Solutions

Посмотрите интерактивное демо Подробнее
Записаться на демо Записаться
Свяжитесь со специалистом Свяжитесь с нами